On Tue, 5 Nov 2024 at 19:35, Eric Norris wrote:
> > > That said, as I mentioned above I would be fine with removing cookie
> > > jar persistence if that was necessary to secure a passing vote, since
> > > it's not our primary focus.
> >
> > Given the information regarding the TLS re-use, the cook
> > That said, as I mentioned above I would be fine with removing cookie
> > jar persistence if that was necessary to secure a passing vote, since
> > it's not our primary focus.
>
> Given the information regarding the TLS re-use, the cookie sharing is my
> only remaining concern. In fact with cook
> > Here's a pull request indicating that the curl team considers TLS
> > reuse safe: https://github.com/curl/curl/pull/1917. I believe they
> > consider it a vulnerability if you are able to make curl incorrectly
> > reuse a TLS session with differing TLS settings.
>
> Thank you. That would be use
Hi
Am 2024-10-28 16:31, schrieb Eric Norris:
I think it's interesting to note that within a request, users are
still vulnerable to accidentally over-sharing cookies. It's unclear to
Yes.
me why we would draw the line at persistence, considering it would be
opt-in. That is, even if you're not
> >> Accidentally sharing a cookie jar for unrelated requests due to a
> >> badly
> >> chosen `$persistent_id` sounds like a vulnerability to is bound to
> >> happen to someone.
> >
> > I'll admit that I don't have a good response to this, since while I
> > agree this is possible, I don't think it
Hi
Am 2024-10-25 16:29, schrieb Eric Norris:
I'm especially concerned, because the documentation for
`curl_share_init()` uses `CURL_LOCK_DATA_COOKIE` as the example. I
would
also assume that sharing a cookie jar amongst several requests is the
primary use case for leveraging a curl share handl
> On Fri, Oct 25, 2024 at 3:34 AM Tim Düsterhus wrote:
> Apologies, I wanted to chime in before the vote started, but I was too
> busy.
I appreciate that you took the time to respond at all, so thank you.
> Persistent handles / resources / objects violate PHP’s shared-nothing
> request model, wh
Hi
Am 2024-10-24 20:20, schrieb Eric Norris:
I have opened the vote for "Add persistent curl share handles":
https://wiki.php.net/rfc/curl_share_persistence
Apologies, I wanted to chime in before the vote started, but I was too
busy. Nevertheless I want to share my reasons for voting "no" on
Hello internals,
I have opened the vote for "Add persistent curl share handles":
https://wiki.php.net/rfc/curl_share_persistence
The vote will last for two weeks, until 2024-11-08 0:00 UTC.
Thanks!
